Guardio Labs analysts have observed that attackers are using Grok, the AI assistant integrated into the social network X, to circumvent link-posting restrictions that the platform has implemented to combat malicious advertising.
Researchers report that advertisers often post dubious videos containing adult content and avoid including a link in the body of the post itself to evade detection and blocking. Instead, they hide the link in the “From:” metadata field located below the video, which apparently isn’t checked for malicious links.
Then the attackers reply to their own post and ask Grok a question. For example: “where is this video from?” or “where’s the link to this video?”. Grok analyzes the “From:” field and sends a reply with a fully functional malicious link, allowing the user to click it and go directly to the malicious site.
Since Grok is a trusted system account on X, its post boosts the link’s authority, reach, SEO, and reputation, increasing the likelihood that it will be shown to a large number of users.
Experts report that many of these links direct users to shady advertising networks, after which victims see fake CAPTCHA pages and may download infostealers and other malware.
Researchers have dubbed this tactic “Grokking” and note that these attacks are highly effective: in some cases, they can generate millions of impressions for malicious ads, as shown in the screenshot below.
To combat this problem, experts propose implementing scanning of all fields, blocking hidden links, and adding context sanitization to Grok so that the AI assistant doesn’t repeat any links at users’ request, but instead filters addresses and checks them against blacklists.
The researchers have already handed all the collected information to X’s engineers and received unofficial confirmation that the report has been forwarded to the Grok developers.
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →